Jump to content
Not connected, Your IP: 54.227.97.219

sheivoko

Members2
  • Content Count

    214
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    28

Everything posted by sheivoko

  1. Have you ruled out DNS problems? Connect to the VPN, then: ping google.com ping 8.8.8.8 If you can ping 8.8.8.8 but not google.com, it's a DNS problem. The file /etc/resolv.conf should contain 10.5.0.1 (or 10.4.0.1), the internal AirVPN DNS server, or any another reachable DNS server. If you can't ping 8.8.8.8, what are your iptables rules? If you do any firewalling, compare your rules to https://airvpn.org/topic/9139-prevent-leaks-with-linux-iptables/ . You're able connect to the VPN server but maybe the FORWARD rules for the tun interface are incorrect/missing. The post i linked to uses eth0 in its example, your interface is wlan0 so you'd have to replace all mentions of eth+ with wlan+.
  2. Microsoft turning bugs into backdoors before fixing them: http://techrights.org/2013/06/15/nsa-and-microsoft/ Stealth Windows updates: https://www.informationweek.com/microsoft-updates-windows-without-user-permission-apologizes/d/d-id/1059183? Apple circumventing its own security measures (i.e. supposedly encrypted backups), using undocumented iOS functions: http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/ HP's root backdoor to storage devices: http://news.dice.com/2013/07/11/hp-keeps-installing-secret-backdoors-in-enterprise-storage/ "undocumented test interfaces" remote backdoors in Cisco routers: http://www.csoonline.com/article/2136221/network-security/cisco-confirms-undocumented-backdoor.html Undocumented, hardcoded backdoor accounts in Barracuda network appliances: http://www.networkcomputing.com/network-security/barracuda-security-equipment-contains-hardcoded-backdoors/d/d-id/1108344? Google's GTalkService / Google Play (remote app installation): https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/ https://jon.oberheide.org/blog/2010/06/28/a-peek-inside-the-gtalkservice-connection/ https://www.duosecurity.com/blog/when-angry-birds-attack-android-edition Samsung Galaxy backdoor, allowing remote file i/o (disputed): https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor Hardware vendors providing HDD firmware source code to NSA & friends: http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216 The last one is not a built-in backdoor, but arguably even worse: Enabling the agencies to craft undetectable firmware modifications. Using proprietary software always means losing control over your hardware. The scary thing is: the most important kind of software - firmware - is almost always proprietary and / or inaccessible to the user. It's not going to get better anytime soon: Potential for CPU microcode backdoors
  3. sheivoko

    Firefox

    Adobe still supports Flash on Linux - they have only stopped developing feature updates but they still backport security fixes! Latest security bulletin, announcing updates for all platforms: https://helpx.adobe.com/security/products/flash-player/apsb15-02.html Alternatively, you can use Chrome's integrated "Pepper Flash Player", actively maintained by Google (security and feature updates). Also worth noting: YouTube has recently dropped Flash for HTML5 video as default
  4. ZPKZ is correct. Apart from that, private trackers will usually serve you personalized torrent files and also disable DHT/PEX for their torrents to prevent them from being shared publicly. Most torrent clients will show you detailed information on your torrents, for example Transmission: "Privacy: Private to this tracker -- DHT and PEX disabled."
  5. When generating config files for a region, check the option "All servers for area region" as shown in my screenshot. Currently, you're connecting to america.vpn.airdns.org which will return the "best" server for that region. After enabling that option, you'll be connecting to america.airvpn.org which will return a random one. Staff has explained the difference in this post: https://airvpn.org/topic/11022-server-details/?p=15524 You can additionally enable "Resolved hosts in .ovpn file" which will put all the actual IPs in your config file and add the "remote-random" instruction to tell your OpenVPN client / NetworkManager to pick a random one. Pro: You don't need working DNS to get a connection. Con: When AirVPN adds new servers to the region, you would have to get a new config file to make use of them.
  6. sheivoko

    Firefox

    Mozilla's FTP site: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest/
  7. What you're trying to do is theoretically possible but currently neither recommended nor supported by Tails. Before trying anything else, I would recommend taking a step back, getting a bit more familiar with Tails. Read both the FAQ https://tails.boum.org/support/faq/ and the documentation https://tails.boum.org/doc/ Tails is a "live" distro, any changes you make will be gone upon rebootYou can configure a persistent volume to store some changes you make but it's limited and very different from how you usually customize your OSTails is meant to be an out-of-the-box secure, firewalled solution for exiting through Tor.Configuring a VPN on top would diametrically go against the design of Tails, you would potentially risk breaking Tails' secure setup.
  8. It's not just Chrome. It's an annoyance of CoinBase and other Bitcoin payment gateways: they want you to click the address, which takes you right into your Bitcoin application, I don't like it either. The easiest way to copy-paste: Don't try and select within the textbox! Start dragging the cursor juuuust outside the textbox:
  9. I think I know what's happening: AirVPN client runs as root (via sudo)it saves log file in $HOME/Desktop/because it's running as root, $HOME = /root/ while you're expecting it to be /home/yourname/ Workaround: In the file save dialog, click on "My computer", then "HDD" (if you have more then one, find the system drive), then navigate to /home/yourname/ I think Air devs could fix this by getting the $HOME variable before asking for root permissions. If they miss this thread, try opening a ticket.
  10. I followed my tutorial again and also got this message - it's not a critical error message. Whatever the problem is, it must lie elsewhere. Some seconds later you should see: TCP connection established with [AF_INET]127.0.0.1:1412 Address is local, not protecting socket fd 4 TCP_CLIENT link local: (not bound) TCP_CLIENT link remote: [AF_INET]127.0.0.1:1412 [server] Peer Connection Initiated with [AF_INET]127.0.0.1:1412 Initialization Sequence Completed If OpenVPN doesn't get to this point, check your SSH tunnel configuration in ConnectBot once again (especially the port forwarding) and make sure it's connecting. Is "Address is local" really the last log message you see? OpenVPN usually throws a "connection refused" error if it can't connect. You might also want to read the extended OpenVPN logs (in the log window, press the menu icon (the 3 vertical dots) and select "Send log file", then open it in a text editor).
  11. How "multihosters" work: They buy a bunch of premium accounts from all these different file hosters and resell shared access - proxied through their own servers - to these accounts, for a cheaper price. The easiest way for file hosters to block multihosters is to block all access from IP ranges that are assigned to commercial server providers, assuming that their "legit" customers only come from IP addresses assigned to broadband providers. I believe that AirVPN IPs got caught in the crossfire for being in such an IP range. Not much you (or AirVPN) can do about it, this is very much part of the questionable business practices of "premium file hosters".
  12. Tutorial: SSH-Tunneled VPN on Stock Android 0. Notes - no proprietary / commercial apps required. FOSS only! (Free and Open Source Software) - no root / custom ROM required - tested on Android 4.4.4 - minimum requirement: Android 4.x 1. Required apps - OpenVPN for Android - ConnectBot (any advanced SSH client will work, ) - CyanogenMod File Manager (or pick any file manager you like) I highly recommend installing all of these apps via F-Droid, a Free Open Source Software platform: https://f-droid.org/ In order to install F-Droid, you may need to temporarily "Allow installation of apps from unknown sources" in Android's security settings. 2. Generate config files Use the AirVPN Generator (https://airvpn.org/generator/) to create SSH config files for Linux (not Android). Only pick one specific server. Screenshot #1: http://i.imgur.com/FWcuXH2.jpg 3. Transfer config files We only need 2 out of the 3 generated files: - sshtunnel.key - the .ovpn profile Screenshot #2: http://i.imgur.com/p2L7T0l.jpg Transfer both of them to your Android's sdcard. Also, open the .ovpn file in a text editor and look for a line that starts with "route", it contains the server's IP - we will need it in step 5. Example: route 199.19.94.12 255.255.255.255 net_gateway That's the IP we will need. 4. Import key file in ConnectBot Launch ConnectBot. Go into menu and "Manage Pubkeys". Screenshot #3: https://i.imgur.com/uGT3UgC.jpg Import the sshtunnel.key file. Screenshot #4: https://i.imgur.com/ZPYhI6V.jpg 5. Configure SSH connection in ConnectBot Go to ConnectBot's main screen. At the bottom of the screen, enter: sshtunnel@199.19.94.12 (Notice, that's the IP we took note of in step 3). Screenshot #5A: http://i.imgur.com/ludTDgv.jpg If the default port 22 is blocked, you can try an alternative port by appending it at the end: sshtunnel@199.19.94.12:80 or sshtunnel@199.19.94.12:53 - Press Enter on your keyboard. It will try to connect and ask you to continue. Choose "Yes". Screenshot #5B: http://i.imgur.com/UJNpB9n.jpg - Cancel the connection, we need to configure it now. Long-press the newly created connection and choose "Edit host". Screenshot #6: https://i.imgur.com/n3OtM2D.jpg - Change "Use pubkey authentication" to "sshtunnel.key". Screenshot #7: https://i.imgur.com/CwfFSoO.jpg - Disable the option "Start shell session" Screenshot #8: https://i.imgur.com/l2niHqG.jpg - Consider enabling the option "Stay connected". 6. Configure SSH port forwarding - Go to ConnectBot's main screen. - Long-press the new connection again, but this time choose "Edit port forwards". "Add port forward" with the following values: Type: Local Source port: 1412 Destination: 127.0.0.1:2018 Screenshot #9: https://i.imgur.com/TBnsKQx.jpg - Press "Create port forward". Configuration of the SSH connection is now complete. - Go back to ConnectBot's main screen and tap the connection entry to establish a connection. Leave the ConnectBot app using your "home" button. 7. Import OpenVPN config - Launch "OpenVPN for Android" - Tap the folder icon. In the "Open from" dialog, choose "File Manager" Screenshot #10: https://i.imgur.com/Nhc6fDa.jpg - Pick the AirVPN_...SSH-22.ovpn file - OpenVPN will present you with an "import log", tap the "Save" file to accept. - You may want to dive into the new profile's settings, go to "ROUTING" and enable "Use default route". - in the ALLOWED APPS tab, find and select ConnectBot to exclude it from OpenVPN's routing 8. Start OpenVPN connection - In OpenVPN's main screen, tap the VPN profile to establish the connection. - Provided that the SSH connection is still running, OpenVPN will be able to connect. Congratulations 9. How to connect / disconnect from now on When establishing a connection, always - start the SSH connection first - then launch OpenVPN When disconnecting, always - disconnect the OpenVPN connection first - then disconnect SSH in ConnectBot 10. Thoughts on reliabilty and firewalling If avoiding network leaks is important to you: be careful on Android, especially on unreliable mobile or WiFi networks that might cause the connection to collapse quite often. I don't have a solution for this potential issue on stock Android, but if you're on a rooted device, you should absolutely consider installing AFWall+ (available in F-Droid). AFWall+ allows you to firewall individual apps, restricting their network access to VPN-only. (You have to dive into its settings to enable VPN mode). Finally: Good luck!
  13. I have been able to connect via SSH with the following prerequisites: - Cyanogenmod 11 (or any other rom that ships with command-line ssh client) - OpenVPN for Android (available in F-Droid) - Terminal Emulator (preinstalled in CM; available in F-Droid) 1. use the AirVPN generator to create config files for Linux (not Android!) - pick a specific server - choose SSH as connection mode - i recommend checking "Resolved hosts in .ovpn file" 2. run the shell script in your Android terminal emulator to make the ssh connection 3. import the .ovpn file in "OpenVPN for Android" and initiate the connection Now, how do we get there on stock Android? You can skip reading my following musings; I've figured out an easier way. Read the tutorial in my next post. [EDIT: split for clarity - go to https://airvpn.org/topic/13486-ssh-tunneled-vpn-on-stock-android/?do=findComment&comment=24983 ] It should be possible; none of the steps require root. The only problem is: While there are countless (GUI) SSH apps in F-Droid and the Play Store, you would need one that lets you - use a key file for SSH authentification - open a local listening port (ssh -L) I do not use Google's Play Store on my devices so my own "research" stops there. If I were to try any apps - "Better Terminal Emulator Pro" looks promising as it includes a command-line SSH client. If that app doesn't work or, like me, you don't want to use the Play Store, you might want to try KBOX2 in order to get a true cli ssh client: http://kevinboone.net/kbox2.html If I find some free time (and if KBOX2 turns out to be a viable alternative), I will write a follow-up post. EDIT 1: Apparently, ConnectBot (in F-Droid and Play Store) can handle key files and forwarding but I have yet to be able to get it to work. EDIT 2: 1st road bump with KBOX2: It looks like the dropbear ssh client doesn't like our keyfile format. Solution: convert keyfile with "dropbearconvert": dropbearconvert openssh dropbear sshtunnel.key id_rsa.db (Install dropbear on a linux desktop, run the command, then change the AirVPN .sh script, swapping out "sshtunnel.key" with "id_rsa.db") EDIT 3: My KBOX2 experiment seems to work. I can't say for sure because I'm working in the Android emulator - which won't let OpenVPN create a tun device, but I don't see any connection-related issues... I'm fairly certain it'd work on a real Android device. EDIT 4: Alright, all this KBOX2 nonsense is unnecessary! ConnectBot can port-forward and use the keyfile too, much easier than setting up KBOX2. Read the tutorial below.
  14. 1. Adblocking: An elegant solution would be to use a DNS server that blacklists ad/tracking networks. Maybe worth asking staff how they feel about providing an alternative configuration option. 2. IPsec: As you mentioned the hash function, I assume you mean how reliable the cryptography/implementation of IPsec is? The current consensus seems to be: - IPsec itself is (probably) not broken yet - NSA and friends attack it by: - stealing the keys off compromised servers / endpoints - breaking/brute-forcing weak key exchanges Mitigations: - PFS/Perfect Forward Secrecy (ask your provider) - don't authenticate with Pre-Shared-Keys (passwords) - if you have to use a PSK, at least choose one that's harder to brute-force Detailed information on this topic: https://nohats.ca/wordpress/blog/2014/12/29/dont-stop-using-ipsec-just-yet/ 3. Fingerprinting on iOS: Actually, fingerprinting on iOS should be a lesser issue when compared with desktop fingerprinting. iOS users using the default browser should all look alike, shouldn't they? Same OS, architecture, browser, version, fonts, .. Unless Apple grants access to unique device identifiers - which I believe they only do for apps, not websites. 4. Using Tor on iOS: You didn't ask about it, but I'll share my thoughts anway. Don't rely on any iOS app for strong privacy/anonymity. Fighting for freedom on a locked-down platform is a lost cause. I'd still suggest taking a look at "Onion Browser" which utilizes Tor, but keep in mind that it's not endorsed by or in any way related to the official Tor Project. Here's the developer's website: https://mike.tig.as/onionbrowser/ The last time I used it (years ago), it felt limited, but usable. The developer seems quite humble about what the browser can and cannot do, which is a good sign. They've also had a code audit last year. There's another Tor-powered browser called "Red Onion" that I don't know anything about. However, I do know that the same developer also sells an app called "Fart Call" - ouch.
  15. How are sites likes Deepdotweb supposed to know how trustworthy any given VPN provider is? (They can't even get their facts* straight.) On a scale of journalistic quality I'd even rank naïve-sensationalist TorrentFreak higher than Deepdotweb. In some way, I'm even happy that AirVPN won't get a lot of traffic from these places. Again, kudos to AirVPN for not participating in advertisement campaigns on such sites. Not finding any bullshit marketing or "sponsored" reviews was one of the main reasons that I ended up here. * When judging trustworthiness of VPN providers, you don't deal with facts. This is all you have available: - unverifiable claims by the provider - the provider's track record, history, milieu and behavior With this limited set of information, you draw your conclusions. Which don't quite fit into a spreadsheet.
  16. Interesting, this might have made all the difference, as WebRTC/STUN does some NAT magic to map local/WAN ip and port. For testing purposes, can you please try this test while disabling the VPN on your router and connecting to AirVPN directly with your computer? Even if you don't firewall anything, I would be very surprised if your ISP IP was discovered.
  17. go558a83nk, even without any firewalling, I have yet to understand how exactly WebRTC/STUN is able to figure out your WAN while a VPN tunnel is established and set as the one and only route - i will do some testing on this tomorrow; in any case, if your firewall: - denies all incoming traffic - denies all outgoing traffic except to AirVPN entry server(s) then there's no way for any application, including browser/WebRTC, to obtain your WAN address. They can phone home but it'll either happen via VPN or it'll fail. AirVPN's Eddie client comes with a similar "network lock" feature.
  18. Nice tip! This also serves as a good test of your firewall setup. On a properly firewalled system, this test will reveal all your LAN, but not WAN addresses.
  19. IRC: I am against Freenode because they discriminate against Tor users. Oddly enough, "Anonops" has an even worse Tor policy! From the instructions on their site on how to connect via Tor: "You must have a registered nick which has been active for 3 days on our network." OFTC has none of these restrictions, allowing channel mods to decide on their own Tor policy. XMPP: My guess would be that IRC is still more popular, but I like the idea! I'll be idling in lounge@conference.xmpp.airvpn.org
  20. You have to differentiate between using Tor and running Tor server infrastructure: Using Tor cannot and will not lead to sites blocking AirVPN servers. It is, as you said, a legitimate use of AirVPN. However, running Tor servers through AirVPN is nonsensical. Not only does it cause disruption for other Air users, AirVPN already runs/sponsors dedicated Tor exits which are much faster than any of the exits that have been run by users through AirVPN. https://airvpn.org/mission/ It's the only solution available. No matter what VPN provider / proxy / onion routing service you use, it always means that you're using a shared connection to the internet. You will always face these kinds of problems. Yes. Make your point in a friendly manner. Tell them how and why their anti-spam/ddos measures are inefficient and what side effects they cause for privacy-aware users like yourself. If they don't react at least sympathetically to your cause, find a better resource for what you're looking for - they obviously don't care about their users so why should you care abot them?
  21. A few notes and corrections: 1. Very few sites actually block AirVPN, however, some sites block Tor IPs. The issues you had with some NL servers are probably related to people unfortunately running Tor exits through AirVPN. https://airvpn.org/topic/12340-stop-running-tor-servers-behind-airvpn/ 2. You do not have to turn off AirVPN, just try a different server. I have tried the sites you mentioned, they don't block AirVPN in its entirety. 3. If you want to know whether your current AirVPN server is also being used as a Tor exit, you can check http://ipleak.net/
  22. No, only Tor relays (especially exit relays) are the cause of these issues.
  23. I like the idea of an AirVPN "chat lounge" of some sort. However, I wouldn't choose Freenode for two reasons: - restrictive Tor policy (you can't connect via Tor unless you're registered, which they don't allow you to do via Tor). - they've blocked AirVPN (and other VPNs) in the recent past: https://airvpn.org/topic/9399-freenode-bans-airvpn-users/ The OFTC network - also the home of Tor's channels - might be a better fit, what do you think? In any case, for such a channel to "take off" AirVPN would have to mention it on its site, so let's hear how staff feels about an IRC channel.
  24. 10.4.0.1 should be reachable regardless of connection method (port / protocol). The full list of internal addresses can be found at the bottom of this page: https://airvpn.org/specs/
  25. I cannot confirm this at all. Are you sure your system is configured to use Air's DNS? What OS are you running? Use dig or nslookup(.exe) and post some output.. that's what it looks like for me: dig +short @10.7.0.1 torproject.org 82.195.75.101 38.229.72.16 154.35.132.70 93.95.227.222 86.59.30.40
×
×
  • Create New...